Dad forwarded an e-mail that tried to simplify the difference between HTTP and HTTPS and I wanted to add a bit to that.
Think of HTTPS as a secure telephone line
No one can eavesdrop, but don’t assume HTTPS is “secure” unless you know who’s on the other end. Evil and good-but-poorly-managed web sites can use HTTPS just as easily as Amazon.
E.g. a phishing e-mail could tell you to “login to eBay” at:
https://ebay.securelogin.ru/. That URL is HTTPS, but is still designed to fool you. Always check the domain!
Public WiFi Networks
Most wifi networks in public places (and, sadly, in homes) are not password protected and therefore highly insecure. Any information (passwords, URLs) that travel over HTTP in these locations can be trivially captured by anyone with a laptop; assume that some kid sitting at Starbucks can see anything you do over HTTP. Don’t sign in to sites over HTTP and, in fact, if you’re already logged in, log out out of HTTP sites before you browse them.
By the way, please, please, put a password on your wireless network at home. Otherwise the kid at Starbucks can easily park next door and spy on you from his car.
Webmail: Use Gmail or check it at home
As of today, Gmail is the only web-based e-mail site that allows all operations over HTTPS (as long as you use the HTTPS URL). Yahoo! and the others log you in over HTTPS, but your viewed and composed messages are sent over HTTP. Don’t view or send e-mail with sensitive info on public wifi networks (unless you’re on secure Gmail). The same goes for messages sent within social networks like MySpace and Facebook. If you’re at Starbucks, assume someone else can read everything you can.
Since many web accounts are tied to your e-mail, the security of your e-mail account should be your top priority. Also consider a strong and unique password that you don’t use on any other site.
On a wired connection, HTTP is mostly safe
Since HTTP is not encrypted, a “man-in-the-middle” could theoretically see you browsing just like at Starbucks, but these are so rare that no one I know has ever heard of one occurring in real life. It’s best practice for sites to use HTTPS for all sensitive operations like signing in, but I don’t fret it when my connection is wired and my home wifi is password-protected.
This is the tip of the web security iceberg, but these practices are essential in my opinion.